Use of Weak Hashing Algorithms (MD5 and SHA1) during Client Initialization

[tianjk99]

Please check if there is any problem with using weak cryptographic algorithms.
The current implementation in the code utilizes the MD5 and SHA1 hash algorithm, which is considered weak and vulnerable to attacks such as collision and preimage attacks. This poses a security risk as it can potentially be exploited by malicious actors to compromise the integrity and confidentiality of the WebSocket communication.

1. bcoin-master\node_modules\bsock\vendor\faye-websocket.js, line 1462
2. bcoin-master\node_modules\bsock\vendor\faye-websocket.js, line 2919

Hybi.generateAccept = function(key) { var sha1 = crypto.createHash('sha1'); sha1.update(key + Hybi.GUID); return sha1.digest('base64'); };

` _handshakeSignature: function() {
if (this._body.length < this.BODY_SIZE) return null;

var md5    = crypto.createHash('md5'),
    buffer = new Buffer(8 + this.BODY_SIZE);

buffer.writeUInt32BE(this._keyValues[0], 0);
buffer.writeUInt32BE(this._keyValues[1], 4);
new Buffer(this._body).copy(buffer, 8, 0, this.BODY_SIZE);

md5.update(buffer);
return new Buffer(md5.digest('binary'), 'binary');

},`

[Sintayew4]

#1174

[nodech]

The code you provided is not from bsock. It belongs to faye-websocket and it's just vendored version of the file.
md5 is part of the protocol draft76 you can check original repo: https://github.com/faye/websocket-driver-node/